A malicious PDF containing a “CHM оснастка” (CHM snap-in) button triggered the download of sankcionnui-MO-RF.rar from a compromised legitimate site, and numerous similarly named PDFs were identified. Analysis attributes the campaign to the financially motivated CapFix group and confirms the malware is CapDoor, with attackers using spoofed Windows-update domains including windowsextupdates.com as a CapDoor C2. #CapDoor #CapFix
Keypoints
- Clicking the “CHM оснастка” (CHM snap-in) button in the PDF triggered a download of sankcionnui-MO-RF.rar from a compromised legitimate site.
- Multiple PDFs exhibited the same behavior, including files named “Инструкция_минная_угроза_ВСУ_10.11.2025.pdf” (Mine_threat_instructions_AFU_10.11.2025.pdf) and “Перечень_документов_для_отчета_по_тренингу_ИБ_ФСБ (56).pdf” (List_of_documents_for_FSB_IS_training_report (56).pdf).
- F6 researchers previously linked these attacks to the financially motivated CapFix group; the current analysis confirms the malware family as CapDoor.
- Attack infrastructure included both legitimate IPs and a custom attacker-controlled domain used as CapDoor C2: https://windowsextupdates.com/bitrix24/?login=[a z]{30}.
- The domain windowsextupdates.com was registered with the email [email protected]; three domains tied to that address masquerade as Windows updates: microsoftpathes.com, windowsextupdates.com, and securityswindows.com.
- An MSI sample (dmitry_medvedev.msi) was observed as part of the campaign’s delivery or execution chain.
MITRE Techniques
- [T1105 ] Ingress Tool Transfer – The campaign delivered payloads by downloading an archive from a compromised site (‘download of sankcionnui-MO-RF.rar from a compromised legitimate site.’)
- [T1204.002 ] User Execution: Malicious File – Victim interaction with a PDF element caused execution/download of malicious content (‘Clicking the “CHM оснастка” (CHM snap-in) button in the PDF triggered the download’).
- [T1071.001 ] Application Layer Protocol: Web Protocols – CapDoor used HTTPS web requests to a custom domain for C2 communications (‘https://windowsextupdates.com/bitrix24/?login=[a z]{30}’).
- [T1588.002 ] Acquire Infrastructure: Domain Registration – Threat actors registered multiple spoofed Windows-update domains to host or mask C2 and payload distribution (‘domains tied to this address, all masquerading as Windows updates: microsoftpathes.com, windowsextupdates.com, securityswindows.com’).
Indicators of Compromise
- [File name ] Malicious and dropper filenames observed – sankcionnui-MO-RF.rar, dmitry_medvedev.msi
- [PDF filename ] Lures used in phishing documents – “Инструкция_минная_угроза_ВСУ_10.11.2025.pdf” (Mine_threat_instructions_AFU_10.11.2025.pdf), “Перечень_документов_для_отчета_по_тренингу_ИБ_ФСБ (56).pdf” (List_of_documents_for_FSB_IS_training_report (56).pdf)
- [Domain ] Attacker-controlled C2 and spoofed update domains – windowsextupdates.com, microsoftpathes.com (also securityswindows.com)
- [URL ] C2 URL pattern observed – https://windowsextupdates.com/bitrix24/?login=[a z]{30}
- [Email ] Registrant email used to create malicious domains – [email protected]